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Revalidation o£ a conipiler for sa fety control 

5 TECHNICAL FIELD 

The present invention concerns revalidation of a compiler 
of control language for use in an industrial control 
system. In particular the invention reveals a method to 
revalidate a contpiler for con^ilation of a user written 
10 program, which is intended for safety control of real 
world entities. The user written program subject to 
conqpilation by the compiler is intended for execution in 
a device, which conqprises functionality that adds safety 
features to an industrial control system. The invention 
15 insures that no fault is introduced into the device due 
to error in the conqpiler code. Such an error can for 
instance occur during distribution of the conpiler code. 
An error can also occur due to failure in a conputer's 
memory or on a disk where the conqpiler code is stored. 
20 The invention insures that no such fault is introduced 
into the control of real world entities which otherwise 
could lead to accidents that harm people or cause damage 
to the environment. 

25 BACKGROUIilD ART 

Industrial control systems are for instance applied in 
manufacturing and process industries, such as chemical 
plants, oil production plants, refineries, pulp and paper 
mills, steel mills and automated factories. Industrial 
30 control systems are also widely used within the power 
industry. Such industrial control systems may need to 
con5>rise or be coxobined with devices, which adds safety 
features. acan5>le of processes vOilcb. requires additional 
safety features than what a standard industrial control 
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system provides are processes at off-shore production 
platforias, certain process sections at nuclear power 
plants and hazardous areas at chemical plants . Safety 
features may be used in conjunction with safety shutdown, 
5 fire and/or alarm systems as well as for fire-and-gas 
detection. 

An exans>ie of an industrial control system, which 
includes a safety critical function, is described in 
10" DE19857683 ''Safety critical function monitoring of 
control systems for process control applications has 
separate unit" . The system has a main controller bus 
coupled to different processors via a number of 
decentralized data receivers. 



15 
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The use of general-purpose computer systems raises issues 
in that a user written program do not get affected by a 
fault in the compiler code. 



'Compilers: Principles, techniques and tools" by Alfred 
V. Hho, Ravi Sethi and Jeffrey D. Ullman published 1988 
by Addison-Wesley publishing conpany, includes a 
discussion on verification of general-purpose con«>ilers. 
Page 731 paragraph 11-4 "Testing and maintenance" handles 
25 the verification of coitpilers according to standard 

software testing. One approach, suggested in the book, is 
the "regression" test. A suite of test programs is 
maintained, and whenever a con«)iler is modified, the test 
programs are compiled using both the new and old version 
30 of the con«>iler. Any difference in the target programs 

produced lay the two compilers is reported to the coa«)iler 
writer . Further the book points out that choosing the 
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procrrams to include in a test suite is a difficult 
problem. 

Prior art in the area of coicpilation technology include 
5 methods and systems for compiler optimization. US5577253 
""Analyzing inductive expressions in a multilanguage 
optimizing cowpiler'' describes a method executed in a 
coinputer system where a plurality of optimizations is 
performed by a generic compiler back-end using induction 
10 variables: This patenting optimization technique does not 
address the correctness of a compiler at a later time. 

US6671316 '^Automated validation and verification of 
coo^uter software" shows a method for verifying that a 
15 source code, which has been compiled, executes all 

different paths in the code. This is not concerned with 
the compiler correctness. 

A remaining problem in the area of safety control of real 
20 world entities is to insure the highest possible 
reliability of a user written program. 

Another problem relating to industrial control systems is 
that the complexity of system software distribution (such 
25 as via Internet) has led to an increased risk of that 
errors occurs in the compiler software. 

The inventors have found that there is a need to ensure 
that a coxcQpiler for software with the purpose of safety 
30 control of real world entities do not change it's way to 
produce code during that it is distributed, stored as 
binary code or is reconqpiled from the associated high 
level code. 




SUM&£ARY OF THE INVENTION 

An object of the present invention is to provide a method 
to revalidate a conpiler intended for compilation of a 
5 user written program for execution of safety control in 
an industrial control system. 

This and other objects are fulfilled by the present 
invention according to a method described in a claim 1. 
10 Advantageous embodiments are described in sub-claims. 

With the present invention a test program, defined in a 
control language, is coinpiled* By verifying that the test 
program executes correctly, the compiler is validated. A 
15 first software means for later coitparison purposes is 

generated. In conjunction with the con^ilation of a user 
written program the test program is compiled. Based on 
the second compilation of the test program a second 
software means is generated. The con^iler is revalidated 
20 for errors introduced between the first and second 

compilation by comparing the first and second software 
means. Provided that the revalidation indicates no errors 
in the compiler, the user written program is enabled to 
execute in a device with safety features for control of 
25 real world entities. 

The user written program subject to coxnpilation by the 
coit^iler is intended for execution in a device, which 
comprises functionality that adds safety features to an 
30 industrial control system. As mentioned above a method 

according to the invention include steps which shows how 
to generate a first and second software means based on a 
compiled test program. Typically the first software means 
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is generated at the time of establishing of new version 
or revision of the coiipiler of a control language. The 
first software means is typically associated with the 
revision or version of the compiler code at hand. The 
5 method cOT5>rises steps where a second software means is 
generated at the time of compilation of a user written 
program. The method comprise steps in which the first and 
second software means are used to revalidate the compiler 
conparing . the first software means with the second 
10 software means. The first software means and the second 
software means are derived from the compiled test program 
hy use of the same principals. 

The invention facilitates that no fault is introduced 
15 into the industrial control system due to error in the 
cons>iler code. Such an error can for instance occur 
during distribution of the conpiler code or an error can 
be due to failure in a conputer's memory or failure in a 
disk where the compiler code is stored. An error in the 
20 contpiler code can also occur due to faults in a computer 
register, a stack memory or in a CPU. 

A particular useful feature of the invention is that it 
facilitates that no such fault is introduced into the 
25 device for safety control of real world entities which 
otherwise could lead to accidents that harm people or 
cause damage to the environment. 

The user written program is typically written in control 
30 language, for instance based on lEC 61131-3. 



An aim of the invention is to detect a fault in the 
conqpiler code. The invention detects errors in the 
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ccaipiler code at any time of conipilation, which insures a 
high reliability of safety critical user written program 
conc>iled by the said compiler. 

A further object of the invention is to provide a 
computer program product containing software code means 
loadable into the internal memory of a general-purpose 
coaigputer or workstation and/or a device, which computer 
program products has software means to execute at least 
one step of the above described method. 



Yet a further object of the invention is to provide a 
co«s>uter program coa^prising coirputer code means and/ or 
software code portions for making a computer or processor 
15 perform any of the steps of the above described method. 

BRIEF DESCRIPTION OP THE DRAWINGS 

The present invention will be described in more detail in 
connection with the enclosed schematic drawings. 

20 

Figure 1 shows a schematic overview of an industrial 
control system comprising a computer loaded with compiler 
code and a device with safety control features. 
Figure 2 shows a schematic flowchart of a method based on 

25 the invention. 

Figure 3 shows a simplified diagram of an embodiment of 
the invention in where the compilation of the test 
program is performed at the same time as the conpilation 
of a user written program. The compiled test program is 

30 con«>ared with a previous compilation of the test program. 
Figure 4 shows a simplified diagram of another embodiment 
of the invention where the compilation of the test 
program is performed at the same time as the con«>ilation 




of a user written program. The figure shows that the 
second software means is downloaded to a device executing 
safety control where it is compared with the first 
software means. 




DETAILED DESCRIPTION OF THE INVENTION 
Figure 1 shows a schematic diagram of an industrial 
control system 2 with a device 6a comprising safety 
features 6b. A user written program intended for safety 
5 control of real world entities 10 is typically compiled 
in a workstation 5a or in a general purpose computer. 
Such a workstation 5a or general purpose computer is 
connected by commxinication means 3 to the device 6a. The 
communication means 3 is based on communication standards 
10 such as fieldbus technology or such as TCP/IP. The 
industrial control system 2 comprise a multitude of 
different devices such as controllers 6c, PLCs 1, 
operator stations or process portals 4 and process I/O 8 . 
The above mentioned devices may exist in any number and 
15 in coiribination with other devices common in an industrial 
control system. The device 6a comprising safety featxxres 
6b may be an individual device such as a PLC or 
controller. *nie safety features are such that the device 
and/or the industrial control system con^ly with safety 
20 standards such as Safety Integrity Levels (SIL) as 

defined in the standard lEC 61508. The device may also 
coicqprise one or several software modules with safety 
features added to the device. The device 6a is connected 
to real world entities 10 subject to safety control via 
25 communication means such as a fieldbus or process I/O. 
Exan^les of real world entities are actuators, 
instruments, motors, valves, pumps, fans etc. A real 
world entity may also be a group of entities or a system 
of entities . 

30 

A device 6a for safety applications in a process control 
system 2 typically execute user written applications 
described in a high level language derived from the 



9 

standard lEC 61131-3, MthLch is well loxown to a person 
skilled in the art. Hence, the compiler 22 is typically a 
coinpiler for a high level language derived from the 
standard lEC 61131-3. 

5 

Hereafter a release, a version or a revision of the 
conpiler is called the compiler. 

validating a coi^piler for safety control is typically 
10 made at a soiEtware factory. A software factory is in this 
context a location where sufficient and certified test 
equipment as well as qualified personal is available to 
perform tests and validation of the compiler. Validation 
of the coii5>iler and the associated tests should be 

15 substantial. Hob tests should for instance insure that 

the conpiler 22 and the safety features meet requirements 
of safety certification. Also other requirements need to 
be met such as sufficient performance in order for other 
applications or programs to execute in the industrial 

20 control system 2. The validation of the compiler comprise 
verification of that applications executes correctly in 
the device for safety control of real world entities. 

The invention disclose that, in addition to the above 
25 described validation of a con«>iler, a test program 20 is 
established where the purpose of the test program 20 is 
to use it as input for revalidation of the compiler 22 
outside the software factory. A test program 20 should 
include all logic of the control language, which is used 
30 for safety control applications. The definitions used in 
a typical test program are typically derived from the lEC 
61131-3 standard, A preferred test program is built lay 
using all languages, all functions and all language 
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constructs i This in order to insure that the compiler 22 
parses and checks. all logic expressions during 
conpilation of the test program which later are to be 
used in a user written program 21. 

5 

m an embodiment of the invention a version or revision 
of the conS)iler from the software factory is associated 
with the test program. The test program is at least 
partly used in the validation of the compiler at the 
10 software factory. A first software means intended for 
later conparison purposes is also associated with the 
version or revision of the compiler. It is further 
advantageous to distribute the test program together with 
the release, version or revision of the compiler. 

15 

Figure 2 shows a schematic flow chart of a method based 
on the invention. The test program 20 is defined in a 
control language. The method comprises the step of 
conpiling 11a the test program by means of the compiler. 
20 Further the method comprises the step of validating lib 
the compiier by verification of that the test program 
executes correctly. 

Figure 2 also shows that the method comprises the step of 
25 generating a first software means 12. The first software 
means is dependant of the executable code of the test 
program 20. The first software means may have many 
embodiments. In one embodiment the first software means 
23 comprise the original executable code of the compiled 
30 test program. In another embodiment generating 12 a first 
software means comprise the calculation of a check-simi 
and/ or a code for cyclic redundancy check. In such an 
embodiment the check-sum and/or the code for cyclic 




redxindancy check is calculated with the compiled test 
program as one input. Hereafter a code for cyclic 
redundancy check, is called CRC. A CRC can be calculated 
or derived in several ways. For instance, a CRC can be of 
5 length 16 bit or 32 bit. TThe 16 bit polynomial CRC-CCITT 
(X^^+X^^+X^+1) or the 16 bit polynomial (X^^+X^^+X^+l) are 
example of polynomials suitable to be used in embodiments 
of the invention. An example of a 32 bit polynomial, 
which can be used to calculate a CRC, is 
10 (X^2+X2«+X^^+X22+X^«+X^2+X^^+X^°+X^+X''+X^+X^+X^+^^ . The 

mentioned 32 bit polynomial is defined in the Ethernet 
standard IEEE 802.3 and is a preferred polynomial to use 
in enibodiments of the invention. In an alternative 
embodiment a checksum, such as a parity check, could be 
15 used. 

Figure 2 shows that a method based on the invention 
coit^rises the step of compiling 13 the test program 20 a 
second time. Coirpiling 13 the test program 20 is made in 
20 conjunction with the compilation of a user written 

program 21. Mie time lag between generating 12 the first 
software meeu^LS 23, 35 and compiling 13 the test program 
20 a second time, is typically, several days or weeks. 
The time lag may be up to several years. During the time 
25 between generating 12 the first software means and 

compiling 13 the test program a second time, an error in 
the coK^iler code ndght have occurred. Such an error can 
for instance occur during distribution of the compiler 
code or an error can be due to failure in a computer's ^ 
30 memory or failure in a disk where the con^iler code is 
storedl. An error in the compiler code can also occur due 
to faults in a computer register, a stack memory or in a 
CPU. 
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Fiurther, £lgure 2 shows that the method coxnprlses the 
step o£ generating 14 a second softwcure means 24a, 31 
based on the second compilation of the test program 20 « 
The step of generating the second software means 24a, 31 
5 is based on the same principals as the previous step of 
generating 12 the first software means. As with the first 
software means the second software meeuis may have many 
embodiments. In one embodiment the second software means 
24a comprise the executable code of the second 

10 coitqpilation of the compiled test program 20, In another 
embodiment generating 14 the second software means 
comprise a calculation of a check-sum and/or a code for 
cyclic redundancy check. Alternative ways of calculation 
a check-sum and/or a code for cyclic redundancy check are 

15 described in more detail in the above description of 
generating the first software means. Figure 3 shows a 
more detailed overview of generating 14 a second software 
means 24a and the following steps of conparing 15 
software means and enabling 16 the user written program 

20 26. Figure 4 indicates that in an alternative embodiment 
of the invention the second software means 31 is 
downloaded to the device 6a. 

Figure 2 also shows that the method comprises the step of 
25 comparing 15 the first software means with the second 

software means. Figure 3 shows that in one embodiment of 
the method the comparing step is performed by means of 
the same workstation 5a or general purpose computer as in 
which the compiler 22 is installed. In such embodiment 
30 the conqparing step 15 of the first software means 23 and 
the second software means 24a may be implemented by use 
of standard features provided by an operating system. 



35 



In another embodiment the comparing step 15 is performed 
by means of the device 6a. Figure 4 shows an overview of 
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such an enibodiment. In such an ^libodixnent It is 
preferable that the first software xneans 35 is down- 
loaded to the device 6a together with the system 
software. Figure 4 indicates that the first software 
means 35 typically has been down-loaded to the device 6a 
before the second con^ilation of the test program 20. The 
second software means 31 is down- loaded 34 in con- 
junction with a successful compilation of the user 
written program 26. 



Comparing 15 the software means does, in one embodiment 
of the invention, involve a coic«>are of the reminder 
values - and not between the values where the reminder is 
included in the calculation. In the latter case the value 

15 will be 0 and a comparison between 0 and 0 may result in 
that the stored calculation is placed in a memory where 
some or all bits are stuck at 0 and the comparison may 
give an invalid result. That is why a conparison between 
nonzero values (such as reminder values) yields a higher 

20 probability to discover faults. 

In an alternative embodiment of the invention the steps 
of compiling the test program 13, generating 14 a second 
software xneans and compctring 15 the first and second 

25 software means is repeated any number of times. In such 
an alternative embodiment an additional source of data 
xnay be used with the purpose of generating a change in 
both the first and second software means. An example of 
such an embodiment is that the generating step of the 

30 second software means coic^rise an additional step of 
conibining a variable that change over time with the 
second software means. The variable that change over time 
typically relates to the second compilation of the test 
program. In the same alternative embodiment the comparing 

35 step may comprise an additional step of down- loading the 
variable that change over time. It is advantageous to use 
a date&time stamp. In one embodiment according to figure 
4 the da te& time stamp is down- loaded to the device 6a and 




the date&time stanp is combined with the first software 
means 35. The advantage of using a variable that change 
over time, such as a date&time stamp, is to generate a 
change in the first and second software means over time. 
5 Such a change eliminates the possibility that one unit in 
the down-load chain, stores the second software means 
during a down- load and at a later down-load sends that 
second software means instead of the new one it receives. 

10 Figure 2 also shows that the method comprise the step of 
enabling 16 the compiled user written program 26 to 
execute in the device 6a with safety f eatxires for control 
of real world entities 10. The enabling step of the 
method xs performed provided that no errors were detected 

15 in the coitnpiler in the previous steps. 

A method according to the invention is at least partly 
performed under control of a set of computer readable 
instructions contained in a computer program storage 
20 device. 

The invention also discloses a computer program product 
5b intended for safety control in an industrial control 
system 2 . The coxaputer program product 5b comprise 
functionality of enabling a user written program to 
execute after revalidating the compiler according to the 
above described methods. Further the coitputer product 
comprises software means for carrying out a further 
action to receive a signal sent across internet 1 
comprising the first software means 35. 

The invention also discloses a computer program 
coxnprising computer code means for making a computer or 
processor perform any of the steps of the above described 
method. 





The foregoing disclosure and description of the invention 
are illustrative and explanatory thereof, and various 
changes in the ccMKgobrients , processing and coii5>utational 
5 st^s and procedxires, as well as in the details of the 

illustrated circuitry and method of operation may be made 
without departing from the spirit of the invention. 
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CLAIMS 

1, A mefehod to revalidate a coinpiler (22) intended for 
compilation of a user written program for safety control 
5 in an industrial control system (2), consprising the steps 
of 

- con^ilirig (11a) a test program (20) a first time which 
test program is defined in a control language; 

- validating (lib) the compiler by verification of that 
10 the test program executes correctly; 

chetracterlzed by the further steps of 

-generating (12) a first software means derived from the 
conpiled test program intended for later comparison 
purposes ; 

15 -coxnpiling (13) the test program a second time in 
conjunction with the compilation of a user written 
program; 

-generating (14) a second softwetre means intended for a 
coinparison based on the second convpilation of the test 
20 program; 

-conparing (15) the first software means with the second 
software means; wherein the compiler (22) is revalidated, 
for errors introduced between the first and the second 
con^ilation; 

25 - enabling (16), provided that the revalidation indicates 
no errors in the compiler (22), the user written program 
to execute in a device (6a) with safety features for 
control of real world entities (10) . 

30 2, A method according to claim 1, characterized in that 
the comparing step (15) is performed in the same 
workstation (5a) or general-purpose computer as the 
compiler (22) is executing. 
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3. A method according to claim 1, charactorizea in tliat 
the software means is a check-sum or a code for cyclic 
redundancy check . 

5 4. A method according to claim 3, characterized in that 
the comparing step (15) is performed in the device (6a) 
with safety features . 

5, A method according to claim 4, characterized in that 
10 the comparing step (15) coit^rise an additional step of 

down- loading a variable that change over time, which is 
down-loaded in the same message as the check-s\am or code 
to the device (6a), where the variable that change over 
time is used to achieve a change in the message* 

15 . . 

6. A method according to claim 1, characterized in that 
the test program (20) is defined in a control language 
derived from the standard lEC 6-1131 • 

20 7. A coxwputer program product (5b) containing software 
code means loadable into the internal memory of a 
general-purpose computer or workstation (5a) and/ or a 
device (6a), Characterized in that said con^uter program 
product has means to execute a coinputer implemented step 

25 of con^iling (13) the test program a second time, a 

con©uter implemented step of generating a second software 
means (14), a computer ixi^lemented step of coiitparing (15) 
the first software means with the second software means 
and a counter implemented step of enabling (16) the user 

30 written program to execute in the device (6a)/ all steps 
according to claim 1* 
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8. A coxnputer program product (5b) according to claim 7 
which coirprise software means for carrying out a further 
action to: 

-receive a signal sent across internet (1) con^rising the 
first software means (35) . 

9. A conputer program comprising conrputer code means 
and/or sof tW8ire code portions for making a conputer or 
processor perform any of the steps of claims 1-6. 
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ABSTRACT 

The present invention concerns revalidation of a compiler 
of control language for use in an industrial control 
system, in particular the invention reveals a method to 
revalidate a conpiler for coit5>ilation of a user written 
program, which is intended for safety control of real 
world entities. The user written program subject to 
compilation by the compiler is intended for execution in 
a device, which coiqprises functionality that adds safety 
features to an industrial control system. The invention 
insures that no fault is introduced into the device due 
to error in the compiler code. Such an error can for 
instance occur during distribution of the conpiler code 
or due to failure in a con5«xter's memory or failure on a 
disk where the conqpiler code is stored. Hence the 
invention insures that no such fault is introduced into 
the control of real world entities which otherwise could 
lead to accidents that harm people or cause damage to the 
environm^t . 
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